In OpenLDAP's nssov you use access controls on the ipHost entries instead, and just by assigning users to groups and granting groups access to the ipHost / authorizedService attribute you can control authorization in a centralized location. It's far more scalable, auditable, and thus more secure.

        If it's a matter of controlling host access, NIS-like netgroups
        (along with pam_access to allow or deny access) could probably
        also be tried.

As an aside, I'm not talking about authentication and authorization for resources. I'm talking about authentication and authorization TO ldap. Right now, it seems the only way I can manage permissions in LDAP is via the slapd.conf file, creating groups and rules. Is there an easier way, or do I need to auto-generate my slapd.conf? The way we're setting up our directory access, we need a lot of users (which can be in ldap of course, so I'm not worried there) and a lot of groups.


Reply via email to